CVE-2026-26965

Name of the Vulnerable Software and Affected Versions FreeRDP versions prior to 3.23.0

Description FreeRDP is a free implementation of the Remote Desktop Protocol. A flaw exists in the RLE planar decode path within the planar decompress plane rle() function, where it writes to memory without proper bounds checking. Specifically, it writes to pDstData at ((nYDst+y) * nDstStep) + (4*nXDst) + nChannel without verifying that (nYDst+nSrcHeight) fits within the destination height or that (nXDst+nSrcWidth) fits within the destination stride. When TempFormat is not equal to DstFormat, pDstData becomes planar->pTempData, and nYDst is only validated against the surface using is within surface(). A malicious RDP server can exploit this to perform a heap out-of-bounds write with attacker-controlled offset and pixel data on any connecting FreeRDP client. The out-of-bounds write can reach up to 132,096 bytes past the end of the temporary buffer. On the brk heap, the decode function pointer within an adjacent NSC CONTEXT struct can be overwritten with attacker-controlled pixel data, leading to control-flow corruption.

Recommendations FreeRDP versions prior to 3.23.0 should be updated to version 3.23.0 or later.